It is wrong to ignore ViewExpiredException?

A week ago, I have studied about ViewExpiredException, and I've read several things about it.

• viewExpiredException JSF
• How to control web page caching, across all browsers?
• Session timeout and ViewExpiredException handling on JSF/PrimeFaces ajax request

My problem, which is some cases, I would like to ignore the ViewExpiredException. These are situations that do not need a "session", and my Beans are @RequestScoped. As an example, the pages login.xhtml, register.xhtml and passwordRecovery.xhtml.

In these cases, it is very strange display an error to the user saying that your session has expired. So if you open the login page and stand still for a while, when he inform your data and click Login, it would be forwarded to an error page. I would just ignore it and let transparent to the user.

So, my solution so far is create a ExceptionHandler to ignore these exceptions:

@Override
public void handle() throws FacesException {
    for (Iterator<ExceptionQueuedEvent> i = getUnhandledExceptionQueuedEvents().iterator(); i.hasNext();) {
        ExceptionQueuedEvent event = i.next();
        ExceptionQueuedEventContext context = (ExceptionQueuedEventContext) event.getSource();
        Throwable t = context.getException();
        // just remove the exception from queue
        if (t instanceof ViewExpiredException) {
            i.remove();
        }
    }
    getWrapped().handle();
}

Then, I created a filter to check whether the user is logged in, if not then redirected to login page (This filter applies only pages that require authentication):

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;

    if (!loginManagedBean.isLogged()) {
        String pathLogin = request.getContextPath() + "/" + LOGIN_VIEW;
        if (isAJAXRequest(request)) {
            response.setContentType("text/xml");
            response.getWriter()
                    .append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
                    .printf("<partial-response><redirect url=\"%s\"></redirect></partial-response>", pathLogin);
            return;
        }

        pathLogin += "?source=" + request.getServletPath();

        response.sendRedirect(pathLogin);
        return;
    }

    chain.doFilter(request, response);
}

So when the session expires, does not affect the user experience in the login and registration pages. And on pages I wish session, are handled by the filter.

That would be a good solution? Are there any security risk to ignore ViewExpiredException in a ExceptionHandler?

Ignoring them is not technically bad in this specific case, but it indicates a bad design. It's as if you're using the wrong tool for the job. I.e. those views should actually never expire.

Just make specifically those views stateless.

<f:view transient="true">
    ...
</f:view>

This can be placed anywhere in the page, even duplicated, but most self-documenting is making it the top level tag of the page, composition or definition.

See also:

• What is the usefulness of statelessness in JSF?